PV181 Laboratory of security and applied cryptography Digital certificates Marek Sýs, Zdeněk Říha | PV1811 Digital certificate • used to prove ownership of the public key • binds public key to identity (identity, email,… ) • Public key is signed by trusted third party – Certification Authority (CA) or other party • two models: centralized and decentralized Certificates history • Introduced in 1978 – Kohnfelder’s bachelor thesis • X.509 – standard - v.1 (1988) – not extendable - v.2 – similar to v.1 - v.3 (1997) optional extension - Other extend X.509 Others - PGP, SPKI, etc. Trust models • Public key infrastructure (PKI) – centralized – hierarchy of CA’s – cert signed by party – used in web browsers – standard X.509 • Web of trust – decentralized model – signed by many parties – used in PGP, GPG – standard OpenPGP PGP • 1991 - Paul Zimmerman • tool to en/decryption, sign data (files, emails,…) • Algs: hash, asymmetric, symmetric, compression • Confidentiality, authentization, integrity • standardized as OpenPGP - RFC 4880 • PGP – commercial – free alternative GPG 5 | PV181 OpenPGP encryption • Authentication & integrity & non-repudiation – hash of plaintext signed by Alice’s private key • Confidentiality 1. Alice generates randomly symmetric key 2. Symmetric key is encrypted with Bob’s public key • Alice sends: – encrypted signed data – encrypted session key 6 | PV181 PGP certificates • Two formats: – PGP cert – X.509 • PGP cert: – PGP version number – Public key (+algorithm) – Identity information – Digital signature – Validity period – Preffered symmetric encryption 7 | PV181 PGP signing and trust • Key distribution: server or sent with data • signing: PGP party – verification of binding – KEY-ID, KEYNAME, FINGERPRINT + identity • Trust: – user – set of certs signed by different entities – 4 levels – unknown, non, marginal, full – signed by myself or fully or 3 marginally keys 8 | PV181 Public key Infrastructure (PKI) • set of roles and procedures: - issue, maintain, administer, revoke, suspend, reinstate, and renew digital certificates - create and manage a public key repository PKI: • CA – stores, issues, signs certs • RA – verifies identity • Central directory– cert requests issued and revoked, • Management system • Cert policy X.509 PKI certificate • Certification Authority – trusted third party • Certificate revocation lists (CRL) – certificates no longer be trusted (compromised key, CA,…) • RFC5280 – defines format and semantics of certs and CRLs • X.509 versions 1,2,3 10 | PV181 X.509 PKI certificate content Serial Number: unique ID of cert Subject: ID of entity Signature algorithm: Signature: Issuer: verifier of info and issued cert Valid–From: date cert is first valid from Valid–To: expiry date Key-Usage: purpose of PK (signature, cert signing, …) Public Key: Thumbprint algorithm: to compute hash of PK cert Thumbprint (fingerprint): hash of abbreviated PK cert Certificate issuing Certificate verification Checking single cert: • current date against validity period • current validity of CA public key • signature of CA on cert • check whether certificate is revoked – CRL or OCSP • policies Certificates hierarchy • root CA (trust anchor) - self-signed certificate • Intermediate CA’s • End entity – user certificate Chain of trust • Trust transfer – to lower CA’s • Root cert, intermediate certs, end-user cert. • Chain: – end-user cert – signed by CA1 – CA1 cert – signed by CA2… – root CA cert – signed by itself Server – sends all certs up to root cert to browser 15 | PV181 Chain of trust 16 | PV181 Certificate path validation Input: cert path, trust anchor Path validation: 1. Check all certs if still valid 2. Check revocation status of certs 3. Check issuer = of previous cert subject 4. Check policy constraints 5. … 17 | PV181 Revocation • Reasons for revocation – key compromise (most common), CA compromise, affiliation change,… • Two states: – revoked – irreversibly for compromised private key – hold – unsure user about key compromising, can be reinstalled • Checked using: – CRL – list of revoked certs – Online Certificate Status Protocol – on demand 18 | PV181 CRL Issued by CA: • Certificate Revocation List (CRL): – list of revoked certificates of end-users • Authority Revocation list – List of revoked cert of CA’s 1. Issuer name 2. Date list created 3. Date next CRL scheduled 4. Entries = serial number + revocation date of cert 19 | PV181 CRL distribution problem • Fixed validity of CRLs – massive load when CRL expires (e.g10M clients download a 1MB CRL issued once a minute = ~150GB/s traffic) Solutions: delta CRL – updates only – newly revoked certs Online Certificate Status Protocol (OCSP) – status of cert -OK / revoked / unknown 20 | PV181 Time aspect What if private key is compromised? How to prove signature was created using secure private key? • Time - critical parameter!!!! • Time stamping authority – sign time stamp • Time stamp – Sig(H(H(data) | time) – is stored by requester with data • Standards - RFC 3161, X9.95, ISO 18014